| From: | Célestin Matte <celestin(dot)matte(at)cmatte(dot)me> |
|---|---|
| To: | Magnus Hagander <magnus(at)hagander(dot)net> |
| Cc: | pgsql-www(at)lists(dot)postgresql(dot)org |
| Subject: | Re: [PATCH] pgarchives: Add host option for pglister_sync |
| Date: | 2025-02-05 14:37:41 |
| Message-ID: | 31a1029c-44fb-4b74-a754-1b081ccfa7c7@cmatte.me |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-www |
> And for very good reasons, because you've removed an important part of the https security!
Which makes sense and is hardly exploitable in that case since we're talking about local traffic
> Differentiating hosts on https is something SNI has been used for for many years. That seems to be the appropriate solution here as well, if you absolutely need to use https on localhost? (There are things that require that, such as access to browser camera, but I don'pt see how any of that would apply to a pglister API call, so it seems easie rto just not encrypt localhost traffic?)
Problem is that requests made to the domain will be received as coming from the server's external IP address, which makes it difficult to detect it as local traffic (unless hardcoding this IP address in apache's config)
> Bottom line is this really sounds like a server side issue in the apache configuration, and should be solved there.
Yes, I ended up adding the target domain to /etc/hosts so that it resolves to 127.0.0.1 or ::1, which is a much simpler solution. Thanks for the inputs, they made me consider things differently!
This patch can be forgotten.
Please let me kindly remind that many other patches are waiting for integration and I listed their state here: https://www.postgresql.org/message-id/6fc41ae5-f547-4cbd-a2d5-54ad75e33fe5@cmatte.me
--
Célestin Matte
| From | Date | Subject | |
|---|---|---|---|
| Previous Message | Daniel Gustafsson | 2025-02-05 11:03:41 | Re: 3rd party support resources |